473,326 Members | 2,133 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,326 software developers and data experts.

stripslashes() and htmlspecialchars() problem!

If $val is the following:

....Just revamped the site's Content Management Application I built.. so do
bear in mind.. sorry!

Phil
stripslashes(htmlspecialchars($val)) should produce the following, or so I
thought:

<input type=hidden name=alert value="...Just revamped the site's Content
Management Application I built.. so do bear in mind..
sorry!&lt;br&gt;&lt;br&gt;Phil">

Instead, I get:

<input type=hidden name=alert value="...Just revamped the site\'s Content
Management Application I built.. so do bear in mind.. sorry!

Phil">

What combo of stripslashes() and htmlspecialchars() do I use to ensure I get
a single-line entity from an HTML textarea value that could have anything in
it, plain and simple?

Phil
Jul 16 '05 #1
2 8008
"Phil Powell" <so*****@erols.com> wrote in message
news:F1gWa.130$cf.29@lakeread04...
If $val is the following:

...Just revamped the site's Content Management Application I built.. so do
bear in mind.. sorry!

Phil
stripslashes(htmlspecialchars($val)) should produce the following, or so I
thought:

<input type=hidden name=alert value="...Just revamped the site's Content
Management Application I built.. so do bear in mind..
sorry!&lt;br&gt;&lt;br&gt;Phil">

Instead, I get:

<input type=hidden name=alert value="...Just revamped the site\'s Content
Management Application I built.. so do bear in mind.. sorry!

Phil">

What combo of stripslashes() and htmlspecialchars() do I use to ensure I get a single-line entity from an HTML textarea value that could have anything in it, plain and simple?

Phil


Hi Phil,

Just a guess (since this doesn't look like a complete code listing), but are
you picking up the return value, or are you trying to use the string as if
it were passed by reference? This worked for me as long as I displayed the
return value:

$dirty_string = 'Hello. <script
type="text/javascript">window.open("format_hdd.php");</script>';
$clean_string = stripslashes(htmlspecialchars($dirty_string));
echo $dirty_string, '<br />--Becomes--<br />', $clean_string;

Coming from Perl, I've made this mistake plenty in PHP.

HTH,
Zac
Jul 16 '05 #2
"Phil Powell" <so*****@erols.com> wrote in message
news:YFjWa.926$cf.849@lakeread04...
This ended up working for me instead:

foreach ($HTTP_GET_VARS as $key => $val)

if (!in_array($key, $cmaExceptionArray)) {
$val = str_replace("\n\r", '<br>', $val);
$val = str_replace("\n", '<br>', $val);
$val = str_replace("\r", '<br>', $val);
array_push($formQSDupArray, $key); // ADD HERE BEFORE YOU GO TO FORM
PART
echo "<input type=hidden name=$key value=\"" .
stripslashes(htmlentities($val, ENT_COMPAT)) . "\">\n";
}
}

Although I wish I could find a more elegant solution than that.


You can use nl2br to put in your own HTML breaks:

$val = nl2br($val);

This alleviates using three str_replace calls. However, if you want to
still use a replacement method (which drops newlines/returns), I use this
method:

$val = preg_replace('/\n(\r)?/', '<br />', $val);

It might make your code more readable if you do all of your filtering at
once using a function call:

function input_filter($input) {
return(
stripslashes(
htmlentities(
//Add a non-breaking space to sentence spaces.
preg_replace('/ {2}/', '&nbsp; ',
//Replace all newlines
// (with optional carriage returns)
// with <br /> tags.
preg_replace('/\n(\r)?/', '<br />', $input),
),
ENT_COMPAT
)
)
);
}

Then,

$val = input_filter($val);

This should "clean up" a little bit of the code within your loop. This
reduces string filtering to a single line of code, so all you're doing
otherwise is just your form tracking.

HTH,
Zac
Jul 16 '05 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
by: lawrence | last post by:
Over on www.monkeyclaus.org I'm getting back slashes showing up on my web pages, where this function outputs. This despite the explicit use of stripslashes(). Does anyone know why this might be?
3
by: SoulSniper | last post by:
I'm working on a modification to a popular blog script, the modification is for putting source code into a post for the world to see. The idea is exactly the same as putting code into a post on a...
1
by: brianj | last post by:
Running php 4.3.6 on winxp machine I have following code: ----------------------------------------------------------------------- Restaurants <select size='1' name='restaurants'> <? while (...
4
by: Dave Moore | last post by:
Hi All, Can anybody point me to a FAQ or similar that describes what all this stuff is about please?. I'm interfacing with a MySQL database if that's relavent. I've read a couple of books which...
4
by: Terry | last post by:
I have a form that my wife uses to update her tennis racket website. I modified it to allow data entry, modify, and delete. If you enter an id number you get the matching record if there is one. ...
2
by: universalbitmapper | last post by:
Hi, $new = htmlspecialchars("<a href=", ENT_QUOTES, 'ISO-8859-15'); echo $new; displays: <a href Instead of :
6
by: Sergei Riaguzov | last post by:
Hmm, I can apply stripslashes() to a string, causing it to remove slashes near quotes (\") but how can I change this quotes to appropriate HTML quotes like &quot;?
23
omerbutt
by: omerbutt | last post by:
hi there i am working on a project based on php mysql and html now as i was using an more secure method to authenticate login information than simply getting the post variables and comparing it with...
8
by: mijn naam | last post by:
Can someone please explain to me why/when one would use htmlspecialchars instead of htmlentities? I know: if you only want to get certain characters translated. This is not the answer I'm...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.